Add new `send-report-channel` and `log-report-channel` options. `send-report-channel` specifies an agent domain, to which error reports can be sent by querying a specially constructed name within the agent domain. EDNS Report-Channel options will be added to outgoing authoritative responses, to inform clients where to send such queries in the event of a problem.
If a zone is configured which matches the agent domain and has `log-report-channel` set to `yes`, error-reporting queries will be logged at level `info` to the `dns-reporting-agent` logging channel.
Closes #3659
Merge branch '3659-implement-draft-ietf-dnsop-dns-error-reporting' into 'main'
Evan Hunt [Tue, 22 Oct 2024 20:48:58 +0000 (13:48 -0700)]
suppress report-channel for zones above the agent-domain
RFC 9567 section 8.1 specifies that the agent domain cannot
be a subdomain of the domain it is reporting on. therefore,
in addition to making it illegal to configure that at the
zone level, we also need to disable send-report-channel for
any zone for which the global send-report-channel value is
a subdomain.
we also now warn if send-report-channel is configured
globally to a zone that we host, but that zone doesn't
have log-report-channel set.
Evan Hunt [Sun, 20 Oct 2024 01:16:35 +0000 (18:16 -0700)]
set up logging functionality using log-report-channel
the logging of error-report queries is no longer activated by
the view's "send-report-channel" option; that now only configures
the agent-domain value that is to be sent in authoritative
responses. the warning that was logged when "send-agent-domain"
was set to a value that is not a locally configured zone has
been removed.
error-report logging is now activated by the presence of an
authoritative zone with the "log-report-channel" option set to
"yes". this is not permitted in the root zone.
NOTE: a zone with "log-report-channel yes;" should contain a
"*._er" wildcard, but that requirement is not yet enforced.
Evan Hunt [Sat, 19 Oct 2024 20:26:38 +0000 (13:26 -0700)]
add log-report-channel zone option
add a boolean "log-report-channel" option for primary and
secondary zones, which sets the DNS_ZONEOPT_LOGREPORTS zone
flag. this option is not yet functional.
Mark Andrews [Wed, 15 May 2024 04:10:43 +0000 (14:10 +1000)]
Allow send-report-channel to be set at the zone level
If send-report-channel is set at the zone level, it will
be stored in the zone object and used instead of the
view-level agent-domain when constructing the EDNS
Report-Channel option.
Mark Andrews [Sun, 6 Nov 2022 14:18:44 +0000 (14:18 +0000)]
Add send-report-channel option
This commit adds support for the EDNS Report-Channel option,
which is returned in authoritative responses when EDNS is in use.
"send-report-channel" sets the Agent-Domain value that will be
included in EDNS Report-Channel options. This is configurable at
the options/view level; the value is a DNS name. Setting the
Agent-Domain to the root zone (".") disables the option.
When this value has been set, incoming queries matchng the form
_er.<qtype>.<qname>.<extended-error-code>._er.<agent-domain>/TXT
will be logged to the dns-reporting-agent channel at INFO level.
(Note: error reporting queries will only be accepted if sent via
TCP or with a good server cookie. If neither is present, named
returns BADCOOKIE to complete the DNS COOKIE handshake, or TC=1
to switch the client to TCP.)
Mark Andrews [Wed, 29 May 2024 05:04:37 +0000 (15:04 +1000)]
Add per rule logging of dns_ssutable_checkrules processing
These are logged to the update category at debug level 99 and
have the following form.
update-policy: using: signer=ddns-key.example.nil, name=updated.example.nil, addr=10.53.0.1, tcp=0, type=A, target=
update-policy: trying: grant zonesub-key.example.nil zonesub TXT
update-policy: next rule: signer does not match identity
update-policy: trying: grant ddns-key.example.nil zonesub ANY
update-policy: matched: grant ddns-key.example.nil zonesub ANY
or
update-policy: using: signer=restricted.example.nil, name=example.nil, addr=10.53.0.1, tcp=0, type=TXT, target=
update-policy: trying: grant zonesub-key.example.nil zonesub TXT
update-policy: next rule: signer does not match identity
update-policy: trying: grant ddns-key.example.nil zonesub ANY
update-policy: next rule: signer does not match identity
update-policy: trying: grant restricted.example.nil zonesub ANY
update-policy: next rule: name/subdomain mismatch
update-policy: no match found
where 'using:' is the calling parameters of dns_ssutable_checkrules,
'trying:' in the rule bing evaluated, "next rule:" is the reason
the rule does not match, "matched:" repeats the matched rule, and
no match found is reported when te set of rules is exhausted.
Nicki Křížek [Tue, 22 Oct 2024 08:20:25 +0000 (08:20 +0000)]
fix: test: Use UTC timezone when handling keys in kasp test library
When working with key timestamps, ensure we correctly set the UTC
timezone in order for the tests to work consistently regardless of the
local time setting.
Closes #4999
Merge branch '4999-pytest-kasp-use-utc-timezone' into 'main'
Nicki Křížek [Mon, 21 Oct 2024 10:18:43 +0000 (12:18 +0200)]
Set TZ to Australia/Sydney for bookworm CI job
Use a different timezone via the TZ variable in at least one of the
system test jobs in order to detect possible issues with timezone
handling in python.
Nicki Křížek [Mon, 21 Oct 2024 10:08:52 +0000 (12:08 +0200)]
Use UTC timezone when handling keys in kasp test library
When working with key timestamps, ensure we correctly set the UTC
timezone in order for the tests to work consistently regardless of the
local time setting.
Mark Andrews [Mon, 21 Oct 2024 00:34:32 +0000 (11:34 +1100)]
Fix parsing of hostnames in rndc.conf
When DSCP was removed the parsing of hostnames was accidentally
broken resulting in an assertion failure. Call cfg_parse_tuple
rather than using custom code in parse_sockaddrnameport.
Michal Nowak [Thu, 17 Oct 2024 10:47:11 +0000 (10:47 +0000)]
chg: doc: Read the Docs should always source requirements.txt from "main"
HTTP URI of doc/arm/requirements.txt on the "main" branch is the source
of PyPI packages in CI base image. To make it consistent in all
maintained CI branches on RTD, use the HTTP URI as well.
This change is non-material on the "main" branch, but ensures the right
packages on stable branches where for RTD we currently leverage outdated
packages because we failed to update doc/arm/requirements.txt there.
Merge branch 'mnowak/rtd-always-resource-requirements-txt-from-main' into 'main'
Michal Nowak [Mon, 14 Oct 2024 18:17:28 +0000 (20:17 +0200)]
Read the Docs should always source requirements.txt from "main"
HTTP URI of doc/arm/requirements.txt on the "main" branch is the source
of PyPI packages in CI base image. To make it consistent in all
maintained CI branches on RTD, use the HTTP URI as well.
This change is non-material on the "main" branch, but ensures the right
packages on stable branches where for RTD we currently leverage outdated
packages because we failed to update doc/arm/requirements.txt there.
Michal Nowak [Wed, 16 Oct 2024 18:04:55 +0000 (20:04 +0200)]
Add RFCs referenced by footnotes
With Sphinx 8.1.0, footnotes can't stand on their own and have
referenced from somewhere:
/builds/isc-projects/bind9/doc/arm/general.rst:439: WARNING: Footnote [#] is not referenced. [ref.footnote]
/builds/isc-projects/bind9/doc/arm/general.rst:441: WARNING: Footnote [#] is not referenced. [ref.footnote]
/builds/isc-projects/bind9/doc/arm/general.rst:445: WARNING: Footnote [#] is not referenced. [ref.footnote]
/builds/isc-projects/bind9/doc/arm/general.rst:457: WARNING: Footnote [#] is not referenced. [ref.footnote]
Nicki Křížek [Mon, 14 Oct 2024 12:44:06 +0000 (14:44 +0200)]
Disable too-many/too-few pylint checks
Enforcing pylint standards and default for our test code seems
counter-productive. Since most of the newly added code are tests or is
test-related, encountering these checks rarely make us refactor the code
in other ways and we just disable these checks individually. Code that
is too complex or convoluted will be pointed out in reviews anyways.
Move all test cases from tests.sh to tests_ksr.py. The only test that
is not moved is the check that key id's match expected keys. The
shell-based system test checks two earlier set environment variables
against each other that has become redundant in the pytest variant,
because we now check the signed key response against a list of keys
and for each key we take into account the timing metadata. So we
already ensure that each published key is in the correct key bundle.
Write initial pytest kasp library. This contains everything that is
required for testing Offline KSK functionality with pytest.
This includes:
- addtime: adding a value to a timing metadata
- get_timing_metdata: retrieve timing metadata from keyfile
- get_metadata/get_keystate: retrieve metadata from statefile
- get_keytag: retrieve keytag from base keyfile string
- get_keyrole: get key role from statefile
- dnskey_equals: compare DNSKEY record from file against a string
- cds_equals: compare CDS derived from file against a string
- zone_is_signed: wait until a zone is completely signed
- dnssec_verify: verify a DNSSEC signed zone with dnssec-verify
- check_dnssecstatus: check rndc dnssec -status output
- check_signatures: check that signatures for a given RRset are correct
- check_dnskeys: check that the published DNSKEY RRset is correct
- check_cds: check that the published CDS RRset is correct
- check_apex: check SOA, DNSKEY, CDNSKEY, and CDS RRset
- check_subdomain: check an RRset below the apex
Aydın Mercan [Wed, 16 Oct 2024 12:53:31 +0000 (12:53 +0000)]
chg: dev: unify explicit fetching and libcrypto handling
Unify libcrypto initialization and explicit digest fetching in a single place.
It will remove the remaining implicit fetching and deduplicate explicit
fetching inside the codebase. Initialization has been moved in to ensure
OpenSSL cleanup is done only after fetched contextes are destroyed.
Merge branch 'aydin/libdns-explicit-fetch' into 'main'
Nicki Křížek [Tue, 15 Oct 2024 11:14:02 +0000 (11:14 +0000)]
chg: ci: Allow re-try of unit tests on FreeBSD 14
The unit test doh_test tends do fail quite often due to exceeding run
time limit in the unit:clang:freebsd14:amd64 job. Use a retry on gitlab
level to alleviate the issue until a better fix is available.
Related #4924
Merge branch '4924-retry-doh_test-freebsd14' into 'main'
Nicki Křížek [Tue, 1 Oct 2024 15:10:23 +0000 (17:10 +0200)]
Allow re-try of unit tests on FreeBSD 14
The unit test doh_test tends do fail quite often due to exceeding run
time limit in the unit:clang:freebsd14:amd64 job. Use a retry on gitlab
level to alleviate the issue until a better fix is available.
Nicki Křížek [Tue, 15 Oct 2024 08:03:25 +0000 (10:03 +0200)]
Support dnspython 2.7.0
CookieOption with new .server/.client attributes (rather than .data) was
added to dnspython. Adjust the code to use the new attributes if
available and fall back to the old code for dnspython<2.7.0
compatibility.
Mark Andrews [Mon, 14 Oct 2024 23:54:27 +0000 (23:54 +0000)]
fix: usr: Fix NSEC3 closest encloser lookup for names with empty non-terminals
The performance improvement for finding the NSEC3 closest encloser when generating authoritative responses could cause servers to return incorrect NSEC3 records in some cases. This has been fixed.
Closes #4950
Merge branch '4950-bind-logs-expected-covering-nsec3-got-an-exact-match' into 'main'
Mark Andrews [Thu, 10 Oct 2024 05:39:10 +0000 (16:39 +1100)]
Use a binary search to find the NSEC3 closest encloser
maxlabels is the suffix length that corresponds to the latest
NXDOMAIN response. minlabels is the suffix length that corresponds
to longest found existing name.
Evan Hunt [Sat, 12 Oct 2024 03:19:02 +0000 (20:19 -0700)]
check 'rndc recursing'
there was no system test that exercised 'rndc recursing'; a
simple one has now been added; it confirms that the number of
recursing clients reported by 'rndc stats' is in agreement with
the list returned by 'rndc recursing'.
Michal Nowak [Wed, 9 Oct 2024 10:53:50 +0000 (12:53 +0200)]
Add libjson-c-dev before #4960 is addressed
Otherwise the "statistics-channels" option in doc/misc/options and
doc/man/named.conf.5in is marked as "not configured" (contrary to what
we have in release tarballs as they were build on a different image that
has libjson-c and libxml2 in it).
Caused by #4895 that made the option dependant on libjson-c or libxml2
presence in the build image.
Matthijs Mekking [Mon, 14 Oct 2024 07:15:41 +0000 (07:15 +0000)]
chg: usr: Harden key management when key files have become unavailabe
Prior to doing key management, BIND 9 will check if the key files on disk match the expected keys. If key files for previously observed keys have become unavailable, this will prevent the internal key manager from running.
Merge branch '4763-do-not-roll-if-key-files-are-missing' into 'main'
Matthijs Mekking [Tue, 20 Aug 2024 12:38:24 +0000 (14:38 +0200)]
Test removing DNSKEYs from other providers
In a multi-signer setup, removing DNSKEY records from the zone should
not be treated as a key that previously exists in the keyring, thus
blocking the keymgr. Add a test case to make sure.
Matthijs Mekking [Mon, 19 Aug 2024 07:46:56 +0000 (09:46 +0200)]
Add additional test case with purged key
Test that if a key to be purged is in the keyring, it does not
prevent the keymgr from running. Normally a key that is in the keyring
should be available again on the next run, but that is not true for
a key that can be purged.
In addition, fix some wait_for_log calls, by adding the missing
'|| ret=1' parts.
Matthijs Mekking [Wed, 14 Aug 2024 12:38:22 +0000 (14:38 +0200)]
Fix some system test cases
Some test cases were working but for the wrong reasons. These started
to fail when I implemented the first approach for #4763, where the
existence of a DNSKEY together with an empty keyring is suspicious and
would prevent the keymgr from running.
These are:
1. kasp: The multisigner-model2.kasp zone has ZSKs from other providers
in the zone, but not yet its own keys. Pregenerate signing keys and
add them to the unsigned zone as well.
2. kasp: The dynamic-signed-inline-signing.kasp zone has a key generated
and added in the raw version of the zone. But the key file is stored
outside the key-directory for the given zone. Add '-K keys' to the
dnssec-keygen command.
Matthijs Mekking [Thu, 15 Aug 2024 08:36:15 +0000 (10:36 +0200)]
Verify new key files before running keymgr
Prior to running the keymgr, first make sure that existing keys
are present in the new keylist. If not, treat this as an operational
error where the keys are made offline (temporarily), possibly unwanted.
In this specific case the key files are temporary unavailable, for
example because of an operator error, or a mount failure). In such
cases, BIND should not try to roll over these keys.
Artem Boldariev [Thu, 10 Oct 2024 19:05:54 +0000 (19:05 +0000)]
fix: dig - always set the default port when doing a UDP query
This commit ensures that the port is set before attempting a UDP
query. Before that a situation could appear when previous query have
completed over a different transport (that uses a dedicated port) and
then a UDP query will be attempted over the port of the previous
transport.
Closes: #4984.
Merge branch 'artem-debian-bug-1059582' into 'main'
Artem Boldariev [Thu, 10 Oct 2024 10:18:05 +0000 (13:18 +0300)]
dig: always set the default port when doing a UDP query
This commit ensures that the port is set before attempting a UDP
query. Before that a situation could appear when previous query have
completed over a different transport (that uses a dedicated port) and
then a UDP query will be attempted over the port of the previous
transport.
Arаm Sаrgsyаn [Wed, 9 Oct 2024 11:38:35 +0000 (11:38 +0000)]
fix: dev: Fix error path bugs in the manager's "recursing-clients" list management
In two places, after linking the client to the manager's
"recursing-clients" list using the check_recursionquota()
function, the query.c module fails to unlink it on error
paths. Fix the bugs by unlinking the client from the list.
Merge branch 'aram/unlink-recursing-clients-on-error-paths' into 'main'
Aram Sargsyan [Wed, 2 Oct 2024 16:39:13 +0000 (16:39 +0000)]
Refactor the way check_recursionquota() is used
Rename check_recursionquota() to acquire_recursionquota(), and
implement a new function called release_recursionquota() to
reverse the action. It helps with decreasing code duplication.
projects / thirdparty / bind9.git / log
